Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

We detect whether ovs-vsctl is available.  If so, then we support
adding network interfaces to openvswitch bridges with it.

Note that with this patch, veths do not appear to be removed from the
openvswitch bridge.  This seems a bug in openvswitch, as the veths
in fact do disappear from the system.  If lxc is required to remove
the port from the bridge manually, that becomes more complicated
for unprivileged containers, as it would require a setuid-root
wrapper to be called at shutdown.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Rather than always using eth0.  Otherwise unpriv containers cannot have
multiple lxc.network.type = veth's without manually setting
lxc.network.name =.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: Stefano Ansaloni <ansalonistefano@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

This patch adds SIGPWR support to lxc_init.
This helps to properly shutdown lxc_init based containers.
Signed-off-by: Nikolay Martynov <mar.kolya@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Also fix the comment in lxc-cirros template (which I overlooked last time).
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

That mount hook predates the lxc.mount.auto = cgroup option.  So mention
that instead.

Perhaps we should simply drop the mountcgroup hook from the tree, but
I'm not doing that in this patch.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

These tests are failing on new kernels because the container root is
not privileged over the directories, since privilege no requires
the group being mapped into the container.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Update Japanese lxc.container.conf(5) for commit 8982c0fdSigned-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

veth.pair is ignore for unprivileged containers as allowing an
unprivileged user to set a specific device name would allow them to
trigger actions in tools like NetworkManager or other uevent based
handlers that may react based on specific names or prefixes being used.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

When using unprivileged containers, tty fails because of vhangup. Adding
--nohangup to nimgetty, it fixes the issue. This is the same problem
occurred for oracle template, commit 2e83f720

Signed-off-by: Claudio Alarcon clalarco@gmail.com

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

The netdev->priv is shared for the netdev types.  A bad config file
could mix configuration for different types, resulting in a bad
netdev->priv when starting or even destroying a container.  So sanity
check the netdev->type before setting a netdev->priv element.

This should fix https://github.com/lxc/lxc/issues/254Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Reported-by: Michael J. Evans
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

- added --mirror, --security-mirror and --package parameters
- generate source.list
- install packages into final lxc instance
Signed-off-by: Alexander Dreweke <alexander@dreweke.net>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Alexander Dreweke <alexander@dreweke.net>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

added space ">/" -> ">  /"
Signed-off-by: Alexander Dreweke <alexander@dreweke.net>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: José Martínez <xosemp@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Fix btrfs support when lxc-create does not bind-mount the rootfs.
Signed-off-by: José Martínez <xosemp@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

This is based on the patch submitted by:
 Yuto KAWAMURA(kawamuray) <kawamuray.dadada@gmail.com>

Updated to use lxc.version rather than @LXC_VERSION@ and to apply to
both lxc-ls and lxc-device rather than just the former.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Dorian Eikenberg <dorian.eikenberg@uni-duesseldorf.de>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Currently do_reboot_and_check() is decreasing timeout variable even if
it is set to -1, so running 'lxc-stop --reboot --timeout=-1 ...' will
exits immediately at end of second iteration of loop, without waiting
container reboot.
Also, there is no need to call gettimeofday if timeout is set to -1, so
these statements should be evaluated only when timeout is enabled.
Signed-off-by: Yuto KAWAMURA(kawamuray) <kawamuray.dadada@gmail.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

/etc/filesystems could be contain blank lines and comments.
Change find_fstype_cb() to ignore blank lines and comments which starts
with '#'.
Signed-off-by: Yuto KAWAMURA(kawamuray) <kawamuray.dadada@gmail.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

- Mounting cgroup:mixed prevents systemd inside the container from
  moving its children out of the cgroups lxc setup. This ensure the
  limits setup in the configuration or with lxc-cgroup are effective.

- Update for the OL7 channel name that will be used on
  public-yum.oracle.com.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Rodrigo Sampaio Vaz <rodrigo@heroku.com>
Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>

New kernels require that to have privilege over a file, your
userns must have the old and new groups mapped into your userns.
So if a file is owned by our uid but another groupid, then we
have to chgrp the file to our primary group before we can try
(in a new user namespace) to chgrp the file to a group id in the
namespace.

But in some cases (when cloning) the file may already be mapped
into the container.  Now we cannot chgrp the file to our own
primary group - and we don't have to.

So detect that case.  Only try to chgrp the file to our primary
group if the file is owned by our euid (i.e. not by the container)
and the owning group is not already mapped into the container by
default.

With this patch, I'm again able to both create and clone containers
with no errors again.
Reported-by: S.Çağlar Onur <caglar@10ur.org>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

This updates the common config to include Serge's seccomp profile by
default for privileged containers.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

lxc-ubuntu: use btrfs subvolumes and snapshots

Signed-off-by: Jesse Tane <jesse.tane@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

stat.st_gid is unsigned long in bionic instead of the expected gid_t, so
just cast it to gid_t.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Change idmap_add_id() to add both ID_TYPE_UID and ID_TYPE_GID entries
to an existing lxc_conf, not just an ID_TYPE_UID entry, so as to work
lxc-destroy with unprivileged containers on recent kernel.
Signed-off-by: TAMUKI Shoichi <tamuki@linet.gr.jp>
Acked-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Change chown_mapped_root() to map in both the root uid and gid, not
just the uid, so as to work lxc-start with unprivileged containers on
recent kernel.
Signed-off-by: TAMUKI Shoichi <tamuki@linet.gr.jp>
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: Alexander Vladimirov <alexander.idkfa.vladimirov@gmail.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Previously this was done by strncpy, but now we just read
the len bytes - not including \0 - from a pipe, so pre-fill
@value with 0s to be safe.

This fixes the python3 api_test failure.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

This allows users to get/set cgroup settings when logged into a different
session than that from which they started the container.

There is no cgmanager command to do an _abs variant of cgmanager_get_value
and cgmanager_set_value.  So we fork off a new task, which enters the
parent cgroup of the started container, then can get/set the value from
there.  The reason not to go straight into the container's cgroup is that
if we are freezing the container, or the container is already frozen, we'll
freeze as well :)  The reason to fork off a new task is that if we are
in a cgroup which is set to remove-on-empty, we may not be able to return
to our original cgroup after making the change.

This should fix https://github.com/lxc/lxc/issues/246Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>